def _get_gce_credentials(
target_audience: Optional[str],
request: Optional[google.auth.transport.Request] = None
) -> Optional[google_auth_credentials.Credentials]:
"""Gets credentials and project ID from the GCE Metadata Service."""
# Ping requires a transport, but we want application default credentials
# to require no arguments. So, we'll use the _http_client transport which
# uses http.client. This is only acceptable because the metadata server
# doesn't do SSL and never requires proxies.
# While this library is normally bundled with compute_engine, there are
# some cases where it's not available, so we tolerate ImportError.
try:
from google.auth import compute_engine
from google.auth.compute_engine import _metadata
except ImportError:
return None
from google.auth.transport import _http_client
if request is None:
request = _http_client.Request()
if _metadata.ping(request=request):
return compute_engine.IDTokenCredentials(
request, target_audience, use_metadata_identity_endpoint=True)
return None
def _get_gce_credentials(request=None):
"""Gets credentials and project ID from the GCE Metadata Service."""
# Ping requires a transport, but we want application default credentials
# to require no arguments. So, we'll use the _http_client transport which
# uses http.client. This is only acceptable because the metadata server
# doesn't do SSL and never requires proxies.
# While this library is normally bundled with compute_engine, there are
# some cases where it's not available, so we tolerate ImportError.
try:
from google.auth import compute_engine
from google.auth.compute_engine import _metadata
except ImportError:
_LOGGER.warning("Import of Compute Engine auth library failed.")
return None, None
if request is None:
request = google.auth.transport._http_client.Request()
if _metadata.ping(request=request):
# Get the project ID.
try:
project_id = _metadata.get_project_id(request=request)
except exceptions.TransportError:
project_id = None
return compute_engine.Credentials(), project_id
else:
_LOGGER.warning(
"Authentication failed using Compute Engine authentication due to unavailable metadata server."
)
return None, None
def _get_gce_credentials(request=None):
"""Gets credentials and project ID from the GCE Metadata Service."""
# Ping requires a transport, but we want application default credentials
# to require no arguments. So, we'll use the _http_client transport which
# uses http.client. This is only acceptable because the metadata server
# doesn't do SSL and never requires proxies.
from google.auth import compute_engine
from google.auth.compute_engine import _metadata
if request is None:
request = google.auth.transport._http_client.Request()
if _metadata.ping(request=request):
# Get the project ID.
try:
project_id = _metadata.get_project_id(request=request)
except exceptions.TransportError:
_LOGGER.warning(
'No project ID could be determined from the Compute Engine '
'metadata service. Consider setting the %s environment '
'variable.', environment_vars.PROJECT)
project_id = None
return compute_engine.Credentials(), project_id
else:
return None, None
def _get_gce_credentials(request=None):
"""Gets credentials and project ID from the GCE Metadata Service."""
# Ping requires a transport, but we want application default credentials
# to require no arguments. So, we'll use the _http_client transport which
# uses http.client. This is only acceptable because the metadata server
# doesn't do SSL and never requires proxies.
from google.auth import compute_engine
from google.auth.compute_engine import _metadata
if request is None:
request = google.auth.transport._http_client.Request()
if _metadata.ping(request=request):
# Get the project ID.
try:
project_id = _metadata.get_project_id(request=request)
except exceptions.TransportError:
_LOGGER.warning(
'No project ID could be determined from the Compute Engine '
'metadata service. Consider setting the %s environment '
'variable.', environment_vars.PROJECT)
project_id = None
return compute_engine.Credentials(), project_id
else:
return None, None
def _get_gce_credentials(request=None):
"""Gets credentials and project ID from the GCE Metadata Service."""
# Ping requires a transport, but we want application default credentials
# to require no arguments. So, we'll use the _http_client transport which
# uses http.client. This is only acceptable because the metadata server
# doesn't do SSL and never requires proxies.
# While this library is normally bundled with compute_engine, there are
# some cases where it's not available, so we tolerate ImportError.
try:
from google.auth import compute_engine
from google.auth.compute_engine import _metadata
except ImportError:
return None, None
if request is None:
request = google.auth.transport._http_client.Request()
if _metadata.ping(request=request):
# Get the project ID.
try:
project_id = _metadata.get_project_id(request=request)
except exceptions.TransportError:
project_id = None
return compute_engine.Credentials(), project_id
else:
return None, None
def test_ping_success():
request = make_request('', headers=_metadata._METADATA_HEADERS)
assert _metadata.ping(request)
request.assert_called_once_with(
method='GET',
url=_metadata._METADATA_IP_ROOT,
headers=_metadata._METADATA_HEADERS,
timeout=_metadata._METADATA_DEFAULT_TIMEOUT)
def test_ping_success_retry():
request = make_request("", headers=_metadata._METADATA_HEADERS, retry=True)
assert _metadata.ping(request)
request.assert_called_with(
method="GET",
url=_metadata._METADATA_IP_ROOT,
headers=_metadata._METADATA_HEADERS,
timeout=_metadata._METADATA_DEFAULT_TIMEOUT,
)
assert request.call_count == 2
def test_ping_success_custom_root():
request = make_request('', headers=_metadata._METADATA_HEADERS)
fake_ip = '1.2.3.4'
os.environ[environment_vars.GCE_METADATA_IP] = fake_ip
reload_module(_metadata)
try:
assert _metadata.ping(request)
finally:
del os.environ[environment_vars.GCE_METADATA_IP]
reload_module(_metadata)
request.assert_called_once_with(
method='GET',
url='http://' + fake_ip,
headers=_metadata._METADATA_HEADERS,
timeout=_metadata._METADATA_DEFAULT_TIMEOUT)
def test_ping_failure_connection_failed():
request = make_request("")
request.side_effect = exceptions.TransportError()
assert not _metadata.ping(request)
def test_ping_failure_bad_flavor():
request = make_request("",
headers={_metadata._METADATA_FLAVOR_HEADER: "meep"})
assert not _metadata.ping(request)
def fetch_id_token(request, audience):
"""Fetch the ID Token from the current environment.
This function acquires ID token from the environment in the following order.
See https://google.aip.dev/auth/4110.
1. If the environment variable ``GOOGLE_APPLICATION_CREDENTIALS`` is set
to the path of a valid service account JSON file, then ID token is
acquired using this service account credentials.
2. If the application is running in Compute Engine, App Engine or Cloud Run,
then the ID token are obtained from the metadata server.
3. If metadata server doesn't exist and no valid service account credentials
are found, :class:`~google.auth.exceptions.DefaultCredentialsError` will
be raised.
Example::
import google.oauth2.id_token
import google.auth.transport.requests
request = google.auth.transport.requests.Request()
target_audience = "https://pubsub.googleapis.com"
id_token = google.oauth2.id_token.fetch_id_token(request, target_audience)
Args:
request (google.auth.transport.Request): A callable used to make
HTTP requests.
audience (str): The audience that this ID token is intended for.
Returns:
str: The ID token.
Raises:
~google.auth.exceptions.DefaultCredentialsError:
If metadata server doesn't exist and no valid service account
credentials are found.
"""
# 1. Try to get credentials from the GOOGLE_APPLICATION_CREDENTIALS environment
# variable.
credentials_filename = os.environ.get(environment_vars.CREDENTIALS)
if credentials_filename:
if not (os.path.exists(credentials_filename)
and os.path.isfile(credentials_filename)):
raise exceptions.DefaultCredentialsError(
"GOOGLE_APPLICATION_CREDENTIALS path is either not found or invalid."
)
try:
with open(credentials_filename, "r") as f:
from google.oauth2 import service_account
info = json.load(f)
if info.get("type") == "service_account":
credentials = service_account.IDTokenCredentials.from_service_account_info(
info, target_audience=audience)
credentials.refresh(request)
return credentials.token
except ValueError as caught_exc:
new_exc = exceptions.DefaultCredentialsError(
"GOOGLE_APPLICATION_CREDENTIALS is not valid service account credentials.",
caught_exc,
)
raise new_exc from caught_exc
# 2. Try to fetch ID token from metada server if it exists. The code
# works for GAE and Cloud Run metadata server as well.
try:
from google.auth import compute_engine
from google.auth.compute_engine import _metadata
if _metadata.ping(request):
credentials = compute_engine.IDTokenCredentials(
request, audience, use_metadata_identity_endpoint=True)
credentials.refresh(request)
return credentials.token
except (ImportError, exceptions.TransportError):
pass
raise exceptions.DefaultCredentialsError(
"Neither metadata server or valid service account credentials are found."
)
def check_gce_environment(http_request):
if not _metadata.ping(http_request, timeout=1):
pytest.skip('Compute Engine metadata service is not available.')
def test_ping_failure_connection_failed(mock_request):
request_mock = mock_request('')
request_mock.side_effect = exceptions.TransportError()
assert not _metadata.ping(request_mock)
def test_ping_failure_bad_flavor(mock_request):
request_mock = mock_request(
'', headers={_metadata._METADATA_FLAVOR_HEADER: 'meep'})
assert not _metadata.ping(request_mock)